CVE-2025-40070

Summary

In the Linux kernel, the following vulnerability has been resolved:

pps: fix warning in pps_register_cdev when register device fail

Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen.

————[ cut here ]———— WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: <TASK> kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>

Before commit c79a39dc8d06 ("pps: Fix a use-after-free"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it.

Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux785c78ed0d39d1717cca3ef931d3e51337b5e90e < 38c7bb10aae5118dd48fa7a82f7bf93839bcc320affected
LinuxLinux1a7735ab2cb9747518a7416fb5929e85442dec62 < 2a194707ca27a3b0523023fa8b446e5ec922dc51affected
LinuxLinuxc4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7 < 125527db41805693208ee1aacd7f3ffe6a3a489caffected
LinuxLinux91932db1d96b2952299ce30c1c693d834d10ace6 < 4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8affected
LinuxLinuxcd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64 < cf71834a0cfc394c72d62fd6dbb470ee13cf8f5eaffected
LinuxLinux7e5ee3281dc09014367f5112b6d566ba36ea2d49 < f01fa3588e0b3cb1540f56d2c6bd99e5b3810234affected
LinuxLinuxc79a39dc8d060b9e64e8b0fa9d245d44befeefbe < 0f97564a1fb62f34b3b498e2f12caffbe99c004aaffected
LinuxLinuxc79a39dc8d060b9e64e8b0fa9d245d44befeefbe < b0531cdba5029f897da5156815e3bdafe1e9b88daffected
LinuxLinux85241f7de216f8298f6e48540ea13d7dcd100870affected
LinuxLinux5.4.291 < 5.4.301affected
LinuxLinux5.10.235 < 5.10.246affected
LinuxLinux5.15.179 < 5.15.195affected
LinuxLinux6.1.129 < 6.1.156affected
LinuxLinux6.6.76 < 6.6.112affected
LinuxLinux6.12.13 < 6.12.53affected
LinuxLinux6.13.2 < 6.14affected
LinuxLinux6.14affected
LinuxLinux0 < 6.14unaffected
LinuxLinux5.4.301 <= 5.4.*unaffected
LinuxLinux5.10.246 <= 5.10.*unaffected
LinuxLinux5.15.195 <= 5.15.*unaffected
LinuxLinux6.1.156 <= 6.1.*unaffected
LinuxLinux6.6.112 <= 6.6.*unaffected
LinuxLinux6.12.53 <= 6.12.*unaffected
LinuxLinux6.17.3 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References